Some 2FA systems may offer you a “remember me for X days” option, for example. Doing full 2FA only occasionally, such as requesting new one-time codes only every few days or weeks.Typical 2FA exemptions, aimed at reaping most of its benefits without paying too high a price for inconvenience, include: To be fair, many or most of the services you use, probably including your own employer, generally do something similar. We’re guessing that’s because LastPass, in common with most companies and online services, doesn’t literally require 2FA for every connection where authentication is needed, but only for what you might call primary authentication. Unfortunately, as you can read above, two-factor authentication (2FA) didn’t help in this particular attack. There’s not an awful lot left in this paragraph if you drain out the jargon, but the key phrases seem to be “compromised endpoint” (in plain English, this probably means: malware-infected computer), and “persistent access” (meaning: the crooks could get back in later on at their leisure). While the method used for the initial endpoint compromise is inconclusive, the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication.
He threat actor gained access to the Development environment using a developer’s compromised endpoint. N unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account.Ī follow-up announcement about a month later was similarly inconclusive: Popular password management company LastPass has been under the pump this year, following a network intrusion back in August 2022.ĭetails of how the attackers first got in are still scarce, with LastPass’s first official comment cautiously stating that:
0 kommentar(er)
